To strengthen the company’s resilience in information security (infosec) and respective management mechanisms, we have integrated an approach from the corporate governance perspective by putting in place a comprehensive set of infosec policy, conducting regular cybersecurity drills, and organizing employee education and training to enhance overall infosec awareness. The ASEH Information Security Policy provides the highest level of management guidance to protect the confidentiality, integrity and availability of critical information assets, and to ensure compliance with relevant laws and regulations. With a robust infosec policy in place, ASEH is well positioned to boost customer trust, strengthen industry competitiveness, and maintain business continuity. We assess information security risks in accordance with regulatory requirements and business goals, and provide a status report to the senior management and the Board. The report offers a succinct overview of the infosec challenges and the current status, and forms the basis for the management and the Board to formulate additional guidelines, strategies and targets.
During Richard H.P. Chang’s tenure as General Manager, he managed ASE’s key operations, administration, and major affairs. In terms of information security, the Corporate Sustainability and Information Security Management Committee was established under the Board of Directors, chaired by Richard H.P. Chang, the current Vice Chairman of ASEH. The committee is responsible for overseeing the development of ASEH’s overall information security strategy and maturity benchmarking, planning and supervising enterprise-wide cybersecurity risk management, monitoring the implementation of information security operations across subsidiaries, and coordinating the integration and communication of internal and external technical resources and threat intelligence. These collective efforts aim to enhance ASEH’s information security capabilities and reduce potential threats and risks. ASEH’s Chief Information Security Officer (CISO), a position created by the Corporate Sustainability and Information Security Committee is concurrently held by the Chief Administrative Officer and Head of Corporate Governance, assumes responsibility for the establishment of the information security management framework that includes regular reviews with all subsidiaries of ASEH and implementing incident response plans. The committee provides a status report to the Board of Directors in the last quarter of each fiscal year. In addition, the Executive Secretariat of the Company's Corporate CSR Division is responsible for promoting and executing information security-related work, and each subsidiary appoints its information security team as members of the committee to be responsible for implementing information security operations as resolved by the Information Security Management Committee. We regularly hold quarterly meetings of the Information Security Management Committee of ASEH to report and discuss the progress of our information security work, and invite external experts to share information security trends and significant issues.
As our business continues to grow, the amount of information generated have also increased exponentially. Safeguarding the confidentiality, integrity and availability of information forms the cornerstone of ASEH’s information security management. Besides identifying internal and external information security risks and formulating countermeasures, we regularly implemented the NIST CSF maturity assessment in all facilities every year. Our cybersecurity policies are formulated to ensure the highest level of network and system protection and mitigation of impacts from any disruption. At the same time, education and training are actively conducted to enhance employee awareness on the importance of information security and prevent major data breaches. Building resilience through a robust information security management system is key to corporate sustainability and will greatly boost stakeholder satisfaction.
To effectively manage the adjustments and enhancements made to the cybersecurity strategy and cybersecurity defense system of each subsidiary, ASEH began implementing the NIST CSF maturity assessment mechanism in partnership with third-party consultants in 2019. The overall maturity level in cybersecurity was assessed based on five key indicators: Identify, Protect, Detect, Respond, and Recover. We have been gradually shifting our focus to refining and deepening our cybersecurity requirements. Each factory site can undertake individualized cybersecurity enhancements based on their own maturity assessment results and recommendations for improvement. We benchmark ourselves against the semiconductor industry and vow to understand our own cyber environment better. We assess the risks that impact each subsidiary in different cybersecurity areas, countries, or operations and consolidate resources to provide better guidance and support. Our goal is to implement and continuously improve the foundational cybersecurity management across businesses. In 2024, we proceeded with the last year’s maturity assessment mechanism and continued to collect data on individual subsidiary’s current cybersecurity management and control as well as cybersecurity frameworks and policies regarding NIST CSF’s five assessment dimensions. In addition, driven by the digital transformation, the convergence between IT and OT is becoming increasingly close. In particular, the scope of horizontal implementation is extending from IT to OT with the goal of aligning the cybersecurity maturity of OT closer to that of IT. This approach is adopted to gradually enhance the cybersecurity defense capabilities of critical operational systems within the company. In 2024, we engaged PwC Taiwan to continue the maturity assessment process. Using consistent vertical quantitative metrics, the assessment covered areas such as policy maturity, control maturity, management maturity, audit maturity, and supply chain maturity. The results provided concrete insights to progressively strengthen the cybersecurity defense capabilities of the company’s critical operational systems.
We engage third-party audit firms annually to conduct information security audits, system vulnerability scans, and penetration testing to ensure that its information systems and network environments comply with security implementation standards. These efforts help enforce information security policies and customer privacy protection measures, effectively preventing the leakage of trade secrets and customer data. Tools used include Nessus for vulnerability scanning, BitSight for security ratings, the SecurityScorecard platform for analysis, and Red Team Assessments to evaluate system defense capabilities and incident response maturity. Additionally, the company provides monthly BitSight security rating reports to all sites for reference and continuous risk management improvement.
As we enter the era of digital transformation, we are not only continuing to strengthen cybersecurity measures, but also extending our expertise to the Operational Technology (OT) domain. Since 2022, we launched an OT cybersecurity assessment program, engaging external experts to identify and test potential risks in OT systems. In 2024, a total of seven sites completed the OT assessments, progressively building a cross-domain integrated cybersecurity defense framework.
In addition to external audits, ASEH also conducts regular internal self-assessments of its Information Security Management System (ISMS) based on the NIST Cybersecurity Framework (CSF) and ISO 27001. These assessments evaluate the effectiveness of risk management, control measures, and incident response processes, and the results are reported to senior management and the Board of Directors. In the event of an unexpected cyberattack, the Information Security Management Task Force promptly convenes technical response meetings to analyze and review defense strategies, building a synchronized and comprehensive security network to respond to threats in real time.
In addition to managing operational risks from the perspective of corporate governance, we try to increase employees’ cybersecurity awareness and enhance organizational operational capabilities as part of our focuses in cybersecurity management. All employees at ASEH must receive PIP cybersecurity educational training, including cybersecurity policy, cybersecurity management framework, cybersecurity control measures, etc. In 2024, a total of 147,289 individuals completed 89,371 hours of training courses. Additionally, occasional social engineering email drills were conducted to enhance employees' awareness of social engineering attacks through emails. Additionally, we will gradually introduce systematic management mechanisms to incorporate participation in cybersecurity meeting, educational training, incident management, confidential file labeling, antivirus/software security, and other cybersecurity-related projects in a systematic manner. Moreover, KPI monitoring and audits are conducted, extending the scope of management, and reaching every employee and every endpoint device. This will be integrated with employees’ performance to reduce penalties and legal liabilities resulted from violations against cybersecurity regulations, as well as the impacts on business operations.
In 2024, no major information security incidents occurred at the company. To strengthen our cybersecurity response and protection capabilities, the company established a well-defined set of "IT Security Incident Reporting and Emergency Response Procedures". The procedure serves as a unified employee guideline that outlines detailed specifications, including incident classification, response team structure, severity level determination, reporting and handling procedures, incident monitoring and closure, follow-up investigations, corrective actions, and evidence collection. Cybersecurity incident drills are also conducted regularly to enhance employees' awareness and improve response efficiency.
The ASEH Information Security Management System further integrates cyber threat intelligence sharing and incident reporting, two core functions that enable real-time monitoring of internal and external threats, ensure timely reporting and resolution of incidents, and significantly enhance overall risk visibility and collaborative defense capabilities. With the increase in cybersecurity threats and the risks they pose to business operations, we have adopted a risk-based approach by securing cyber insurance coverage for the company. This added layer of protection allows us to respond swiftly to incidences and contain the impact of any cyberattacks, minimizing potential losses to the company operations, customers, supply chain partners and facilitating rapid business recovery.
To ensure the sustainable operations of important businesses and prevent interruption of critical information systems as a result of material cybersecurity incidents, we conduct an incident recovery drill every six months which lays out the organizational structure diagram, scope, duration, critical information systems, participating units, participating personnel and their assigned tasks, backup personnel for the drill, implementation steps and processes of the drill, required resources, data recovery from backup, risk management during the drill, post-drill review and improvement processes, among others. The purpose is to ensure the company can leverage disaster response capabilities and disaster recovery mechanisms to quickly restore operations to a normal or acceptable level for the business, achieving the goal of uninterrupted operations of critical information systems. The drill will continue to be implemented to provide maintenance, management, and training to ensure the effectiveness of the backup systems.
ASEH works closely with government agencies, local and international information security organizations including FIRST, Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC), and High-tech Information Security Alliance. As a member of the SEMI Semiconductor Cybersecurity Committee, we are actively driving the industry’s adoption of SEMI E187 – Specification for Cybersecurity of Fab Equipment, a Taiwan-initiated security standard. Adopting the relevant infosec regulations, standards and industry intelligence allow us to integrate our internal management systems and expertise, to develop a comprehensive set of capabilities that will further strengthen our resilience.
At the same time, we are committed to meeting the expectations from our upstream and downstream supply chains and stakeholders on matters related to information security. ASEH’s strong and robust security defense leads to a tightly-secured smart manufacturing environment and increases the company’s competitive advantage as a sustainable enterprise.
As a result of the digitization of the supply chain and the exchange of large volumes of data, the supply chain is faced with unprecedented cybersecurity risks. To effectively improve cybersecurity resilience across the supply chain, starting from 2022, ASEH has established the Supplier Cybersecurity Assessment and Execution System, which primarily focuses on critical suppliers. A total of 96 supplier cybersecurity assessments were conducted in 2024, following a four-step process consisting of current situation assessment, guidance for improvement, results confirmation, and cyclic survey. The scope of assessments will be gradually expanded and a cyclic regular survey conducted every three years to construct a comprehensive cybersecurity management mechanism, ensure stable business operations, increase cybersecurity resilience, and further improve the overall cybersecurity environment and level in the semiconductor industry.
ASEH prioritizes cybersecurity issues, identifying internal and external risks, and developing and promoting various key response strategies. It has earned recognition with international cybersecurity certifications, including ISO 27001, ISO 22301, ISO 15408, ISO 21434, IEC 62443, GSMA, and others. Through continuous management of corporate operations and adherence to international information security standards, ASEH rigorously reviews and optimizes cybersecurity workflows and management measures, enhancing operational resilience. This comprehensive approach safeguards smart manufacturing security and sustains competitive advantages for the company.
To build a stable and robust foundation for the IT environment, ASE Kaohsiung, ASE Chungli, ASE Shanghai (Material), SPIL, and USI continue to improve and implement cybersecurity risk management targeting critical information systems that are essential to the operation of crucial facilities.
ASE Kaohsiung and SPIL have successively obtained the BCMS (business continuity management system) ISO22301 certification to strengthen crisis management and disaster response.
ASE Kaohsiung, Chungli and Singapore have been certified to EAL6, the highest level of security certification, creating a manufacturing environment and management system that comply with international standards for safe products and enhancing the safety management mechanisms for product transportation. We provide cybersecurity guarantees for manufacturing processes such as packaging and testing to offer better customer service.
ASE Kaohsiung is the first semiconductor assembly and testing facility in the world to receive the ISO/SAE 21434 international automotive network security standard certification with 100% compliance certified by TUV NORD of Germany.
ASE Kaohsiung successfully completed the German TUV NORD’s professional evaluation and obtained the IEC 62443-2-1 certification, becoming the very first company in the Taiwan semiconductor industry to receive the certification.
ASE Kaohsiung has passed the mobile communication security certification standard and obtained the GSMA certification. As a manufacturer, it completed a comprehensive audit of the production sites and processes to comply with the UICC production safety standard (GSMA SAS-UP).
ASEH approaches internal initiatives from a corporate governance perspective, establishing information security policies, conducting regular cybersecurity drills, providing cybersecurity education and awareness training for employees to enhance overall security awareness. It invites representatives from industry, government, and academia to share international cybersecurity developments regularly, increasing crisis responsiveness. Externally, ASEH actively participates in international cybersecurity organizations such as FIRST, TWCERT/CC Taiwan Cyber Security Alliance, and High-Tech Cyber Security Alliance. Through these communication channels, it shares the latest trends and action plans with industry peers and supply chain partners, elevating cybersecurity protection levels. Simultaneously, by aligning certification efforts with international standards, ASEH strives to mitigate cybersecurity threats, ensuring secure operations and fostering long-term, solid partnerships with customers and supply chain partners to provide more comprehensive and refined services.
Cybersecurity Policies, Organizations, and Goals
Established the Corporate Sustainability and Information Security Committee
Zero material cybersecurity incidents
Formulated three cybersecurity goals for 2030
Convened four ASEH cybersecurity team meetings
Information Security Implementation and Safeguards
Implementation of one ASEH Information Security Management System
NIST CSF maturity assessment for 25 sites
Conducted red team assessment at 5 sites
Provided monthly BitSight security rating reports
OT cybersecurity assessment at 7 sites
Conducted internal audits based on NIST CSF and ISO 27001 frameworks
Two cybersecurity incident drills
Providing cybersecurity educational training to 147,289 individuals
Accumulating 89,371 hours of cybersecurity educational training
Ongoing cybersecurity insurance coverage
Conducting cybersecurity assessments for 76 suppliers
Cybersecurity Certification
ISO 27001 certified (ISMS): ASE Kaohsiung(TUV NORD), ASE Chungli(TUV NORD), ASE Shanghai Material(TUV NORD), ASE Korea(LRQA), SPIL(BSI), and USI Nantou(AMERICO)
ISO 22301 certified (BCMS): ASE Kaohsiung(BSI), SPIL(BSI) and USI Nantou(DQS)
ASE Kaohsiung certified with IEC 62443-2-1(TUV NORD)
ISO 15408 EAL6 highest-level certification: ASE Kaohsiung (BSI), ASE Chungli(ANSSI), and ASE Singapore (BSI)